WebInspect Detects Site Defects

Scanning Options

WebInspect lets you run a safe scan, a full scan or an assault scan. The safe scan checks for database errors and other nonthreatening problems, and performs attacks that aren't likely to cause your server to crash. The full scan includes some attacks that may cause a crash. The assault scan shoots off attacks that can cause a DoS (denial of service) failure--not a good idea if you can't afford the downtime. You can customize the tests and view every test being performed for each scan. Or you can write your own attacks.

I installed WebInspect on a Microsoft Windows 2000 workstation--no agents or additional software needed. I ran a full scan against five production Web servers that are part of our Syracuse University Real-World Labs®, four running Microsoft IIS and one running Apache. I also ran an assault scan on a test machine.

No matter which scan you run, the software crawls through the site first, indexing every page and directory. I scanned relatively small sites and each scan took at least an hour. WebInspect then examined each directory, looking for problematic files, such as email_list.txt, old versions of applications and backup files.

With an attack scan, WebInspect does a combination of Web server testing and client-side script inspection. In my tests, it discovered the test systems all had unpatched buffer-overflow vulnerabilities. It also found bugs in several Web applications, including Microsoft FrontPage. The software tests parameter manipulation, cross-site scripting and pages or parameters that produce database error messages. It does not check or inspect any code or scripts on the server that aren't accessible by a Web user.Problem Solved

In the full scan I ran against a site that used a SQL database, WebInspect looked at the parameters in a Web form. It then manipulated them and performed a SQL command injection, where client-supplied data makes its way into an SQL query string. The site had a bug that would let an attacker perform session hijacking with a hidden user ID parameter being passed in the form. A few minutes after the Webmaster's coders saw the report, they were able to issue a fix with a single line of JavaScript. The report helped the coders understand the problem--an improper parameter verification--so they could devise a solution.

I ran the assault scan on an unpatched default IIS server installation. You can see a report from the assault test here. It shows the output of the assault scan, including a detailed description of the vulnerability and how to patch it. Among other things, WebInspect found an Internet Printing Protocol buffer overflow. The report included a link to source code of a program that could execute this attack, and the original Microsoft and eEye advisory pages. The report also showed every e-mail address found (spam address harvesting), hidden pages and fields, comments in the code, forms and JavaScripts on the page.

WebInspect's advanced features include support for basic and NTML authentication and tools to encode or decode hex, unicode, base64 and md5.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].Post a comment or question on this story.